OK. I know this is one of the most asked questions here. But most answers are either telling me to add nologin to allowed shells (nope… not doing that) or disabling SELinux (which i don't have – Ubuntu Server 16.04 RPi3).
Another option is saw was setting my pam_service_name
to ftp
. Well this worked! But then I further read that this allows anyone to login as it is just bypassing PAM service. So I thought well lets make a file named ftp
in the /etc/pam.d/
directory and work with that.
I filled the file with the following:
auth required /lib/arm-linux-gnueabihf/security/pam_nologin.so
account required /lib/arm-linux-gnueabihf/security/pam_unix.so
password required /lib/arm-linux-gnueabihf/security/pam_unix.so
I am missing something, i don't know what. This is the first time I'm messing with PAM so honestly I have no idea what I am doing.
The setup I want is to only allow unix users with nologin
shell to be authenticated by vsftpd
.
Regards
Best Answer
After reading a few articles I kinda understad how PAM works.
The files in
/etc/pam.d
are basically list of conditions that are checked when that module/service is being used. So when I set the contents of the file/etc/pam.d/ftp
to the following:I get what I need, i.e. Only UNIX Users that are in ftp Group with nologin as shell can login.
Explanation of what each line does:
USER
in/etc/ftpusers file
THEN DENY ELSE ALLOW and GOTO next RULEUSER
inGROUP ftp
THEN ALLOW and GOTO next RULE ELSE DENYUSER
'sSHELL = /usr/sbin/nologin
THEN ALLOW GOTO next RULE ELSE DENYAll the rules are basically
AND'ed
when they are of type REQUIRED.I am linking the guide I followed. I also used Linux Manual Pages for PAM, but not linking them.
Feel free to add anything I have missed. This was my first time with PAM, and I think I love this feature.
Regards!
An Easy Guide to Linux-PAM by DZONE.com